CVE-2008-4582

Debian Linux - Access Control

Title source: rule

Description

Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13, when running on Windows, do not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Liu Die Yu · htmlremotemultiple

https://www.exploit-db.com/exploits/32466

View Code ZIP pw:eip

References (32)

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/45740

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1021190

[Not Applicable] https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html

[Third Party Advisory] http://www.debian.org/security/2009/dsa-1697

[Third Party Advisory] http://www.debian.org/security/2008/dsa-1671

[Not Applicable] http://www.vupen.com/english/advisories/2009/0977

[Issue Tracking] https://bugzilla.mozilla.org/show_bug.cgi?id=455311

[Permissions Required, Third Party Advisory] http://secunia.com/advisories/32192

[Vendor Advisory] http://www.mozilla.org/security/announce/2008/mfsa2008-47.html

[Third Party Advisory, VDB Entry] http://securitytracker.com/alerts/2008/Nov/1021212.html

[Third Party Advisory] http://www.debian.org/security/2008/dsa-1669

[Permissions Required, Third Party Advisory] http://secunia.com/advisories/32778

[Not Applicable] https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.html

[Permissions Required, Third Party Advisory] http://secunia.com/advisories/33433

[Not Applicable] http://www.vupen.com/english/advisories/2008/2818

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/497091/100/0/threaded

[Broken Link] http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1

[Third Party Advisory] http://securityreason.com/securityalert/4416

[Permissions Required, Third Party Advisory] http://secunia.com/advisories/32721

[Third Party Advisory, US Government Resource] http://www.us-cert.gov/cas/techalerts/TA08-319A.html

... and 12 more

Scores

EPSS 0.3558

EPSS Percentile 97.1%

Details

CWE

CWE-264

Status published

Products (41)

canonical/ubuntu_linux 6.06

canonical/ubuntu_linux 7.10

canonical/ubuntu_linux 8.04

canonical/ubuntu_linux 8.10

debian/debian_linux 4.0

mozilla/firefox 3.0.1

mozilla/firefox 3.0.2

mozilla/firefox 3.0.3

mozilla/firefox 2.0

mozilla/firefox 2.0.0.1

... and 31 more

Published Oct 15, 2008

Tracked Since Feb 18, 2026